Rules of engagement for patch warfare

Over ten years ago, I locked my keys in my car. It was the first time in my life I had ever done this and I have never done it since. But, to this day, my wife still asks me if I have the keys every time I shut the car door. A decade of not locking the keys in my car has done little to gain her trust.

I feel the same way about Windows patches. I’ve been burned enough to think twice every time I let Windows install a hotfix for me. For countless companies around the world, patch management has become a million-dollar nightmare.

I remember the first NT4 server I ever administered. After years of unprivilege, I finally got promoted to use the Administrator login for myself. But I was still so naïve about security — my password was superman.

I remember looking at Microsoft’s list of available hotfixes and being so overwhelmed that I just put it off to deal with later. Of course, the task grew greater each month and finally got to a point where I was so far behind, it was just easier to wait until the next service pack and start over again. It turns out that that approach wasn’t too uncommon among NT administrators.

Windows 2000 was my fresh start

When Windows 2000 came out, I was determined to not let that ever happen again. I studied, dissected, tested, and tracked every new Win2k hotfix that ever came out.

One side-effect of all that study was that it made me acutely aware of all the sloppy patchwork Microsoft put out. It got so bad that I gradually lost all confidence in the system.

So, like my wife, I too began to question; I came up with a list of rules to protect myself. Even after all this time, I still don’t feel comfortable installing a patch without considering at least some of these rules.

To many people, these rules might seem extreme and somewhat paranoid, but I’m a security consultant — people pay me to be paranoid.Rule 1: Don’t always trust what you read

Microsoft has come a long way in improving the consistency and quality of their KB articles and security bulletins.

But, at one time, this was a big problem. If a KB article said something worked or didn’t work, I simply couldn’t trust it; I had to test it out for myself. And, to my disappointment, my tests too often proved the KB article wrong, further confirming my mistrust.Rule 2: Don’t always trust what you know

Even if you test something, that doesn’t mean it won’t change. For every security bulletin Microsoft releases, there are dozens of other security-related KB articles that go unnoticed.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.